Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>11. Sorry, can’t reset password to your current password

This sounds like an erronious error, ie the error message displayed is not the correct error message. There was definitely an error but the error was not that you tried the same password as your current.

I hate erronious errors with a vengance, because they not only break user workflow but they break helpdesk work flow as well then it gets escellated to an engineer who quite often cant fix the actual erronious error but knows what the actual issue is and fixes that anyway.. meaning the erronious error never gets fixed and will mow hang around to chew up everyones time all over again.

such a silly way to waste so much time, over and over.



> This sounds like an erronious error, ie the error message displayed is not the correct error message. There was definitely an error but the error was not that you tried the same password as your current.

What exactly is this based on?

I know I've seen that listed as a requirement (well, actually can't be one of the last 3) on some systems that have annoying password requirements.


I disagree. It’s pretty normal to invalidate the current password on password reset, and to also not allow the same password to be reused.


I agree with you, but would phrase it differently.

You want some indication that any leak of your current password actually hasn't been mitigated. A failure message that your password hasn't actually changed (due to being identical) is functionally the same as allowing the password change and giving a warning that the passwords were identical (modulo some back-end details like if the password salt has changed and if the password change date has been updated).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: